Difference between revisions of "Security/VMT-Metrics"
Robert-clark (talk | contribs) (→DREAD) |
Robert-clark (talk | contribs) (→DREAD) |
||
| Line 11: | Line 11: | ||
Risk = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 10 | Risk = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 10 | ||
| − | + | ==== Damage Potential ==== | |
** 0 = X | ** 0 = X | ||
** 5 = Y | ** 5 = Y | ||
** 10 = Z | ** 10 = Z | ||
| − | + | ==== Reproducibility ==== | |
** 0 = X | ** 0 = X | ||
** 5 = Y | ** 5 = Y | ||
** 10 = Z | ** 10 = Z | ||
| − | + | ==== Exploitability ==== | |
** 0 = X | ** 0 = X | ||
** 5 = Y | ** 5 = Y | ||
** 10 = Z | ** 10 = Z | ||
| − | + | ==== Affected Users ==== | |
** 0 = X | ** 0 = X | ||
** 5 = Y | ** 5 = Y | ||
** 10 = Z | ** 10 = Z | ||
| − | + | ==== Discoverability ==== | |
** 0 = X | ** 0 = X | ||
** 5 = Y | ** 5 = Y | ||
Revision as of 09:58, 12 November 2014
Contents
Introduction
The OpenStack Security Group suggests that when OpenStack Security Advisories are created by the VMT use the following metrics to score the potential impact of vulnerabilities on OpenStack Deployments
As with all scoring systems this will not be universally applicable but will provide basic guidance to the severity of each vulnerability.
The OSSG has adapted the DREAD metric as a basis for OpenStack vulnerability impact assessment. We adapted each of the scoring categories to better reflect the impact of a vulnerability in a cloud context.
DREAD
DREAD scores five categories, which are summed together and divided by five, the result is a score from 0-10 where 0 indicates no impact and 10 is the worst possible outcome:
Risk = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 10
Damage Potential
- 0 = X
- 5 = Y
- 10 = Z
Reproducibility
- 0 = X
- 5 = Y
- 10 = Z
Exploitability
- 0 = X
- 5 = Y
- 10 = Z
Affected Users
- 0 = X
- 5 = Y
- 10 = Z
Discoverability
- 0 = X
- 5 = Y
- 10 = Z
Discussion
Boopity boop
